Best Practices #
Avoid generating JWTs with unlimited or very long expiry.
Create short-lived JWTs that are valid only for a few minutes using
expclaim in the payload.
nbfclaim for scheduled meetings so that the host cannot create a meeting before meeting start time.
Limit one JWT to a single room by setting
roomto the meeting
roomNameinstead of "*".
Keep your api key safe and secret.
Until now we have been using static tokens for testing. We can use the following code snippets instead to generate JWTs on the go when someone creates a meeting.
Find and replace all instances of
cm-consumer-id with your Clan Meeting consumer ID in the code below.
Get your private SSH key file and replace
cm-api-key.pem in the code snippets below with the exact file name. Add relative file path if required.
Use composer to manage your dependencies and download PHP-JWT:
Optionally, install the
paragonie/sodium_compat package from composer if your php is < 7.2 or does not have libsodium installed:
Add the following to your Gemfile
RS256 algorithm should be supported by the library used to generate JWT.